Pages

Pages

What is SVTI Virtual Tunnel Interface? How to configure IPsec Static virtual tunnel?

 

The virtual tunnel is also called native IPsec, VTI does the same job that GRE with IPsec does. They both encrypt the tunnel with IPsec. VTI removed the additional 4 bytes GRE header, thus reducing the bandwidth for sending encrypted data. VTI allows to configuration of ACL, NAT, and QoS. remember the default mode for a tunnel is GRE you have to define the mode IPsec IPv4 to configure the SVTI tunnel. 

There are two types of VTI (Virtual Tunnel Interface)

1.      Static Virtual Tunnel Interface

2.      Dynamic Virtual Tunnel Interface






configuration for SVTI is very simple we do not need to define interesting (ACL) traffic. configuration same just like we configure GRE with IPsec but with a small difference, we have to define the tunnel mode. 

let's see the topology:-https://youtu.be/b3wNC8mAI9E?si=NtBhT1iXmevfqbu7



  • configure the topology as per the diagram 
  • assign the IP addresses as per the topology 
  • configure static and default route 
  • configure tunnel between Site-A-R to Site-B-R 
  • configure EIGRP advertise tunnel interface and LAN network on both sites
  • configure IPsec and apply on the tunnel interface 
  • make sure data will encrypt 





Site-A-router(config)#interface serial 4/0
Site-A-router(config-if)#ip address 1.1.1.1 255.0.0.0
Site-A-router(config-if)#no shutdown
Site-A-router(config-if)#exit

Site-A-router(config)#interface fastEthernet 0/0
Site-A-router(config-if)#ip address 10.1.1.1 255.0.0.0
Site-A-router(config-if)#no shutdown
Site-A-router(config-if)#exit

INTERNET(config)#interface serial 4/0
INTERNET(config-if)#ip address 1.1.1.2 255.0.0.0
INTERNET(config-if)#no shutdown
INTERNET(config-if)#exit

INTERNET(config)#interface serial 4/1
INTERNET(config-if)#ip address 3.3.3.1 255.0.0.0
INTERNET(config-if)#no shutdown
INTERNET(config-if)#exit

INTERNET(config)#interface serial 4/2
INTERNET(config-if)#ip address 4.4.4.1 255.0.0.0
INTERNET(config-if)#no shutdown
INTERNET(config-if)#exit

Site-B-router(config)#interface serial 4/1
Site-B-router(config-if)#ip address 3.3.3.2 255.0.0.0
Site-B-router(config-if)#no shutdown
Site-B-router(config-if)#exit

Site-B-router(config)#interface fastEthernet 0/0
Site-B-router(config-if)#ip address 30.1.1.1 255.0.0.0
Site-B-router(config-if)#no shutdown
Site-B-router(config-if)#exit

Site-C-router(config)#interface serial 4/2
Site-C-router(config-if)#ip address 4.4.4.2 255.0.0.0
Site-C-router(config-if)#no shutdown
Site-C-router(config-if)#exit

Site-C-router(config)#interface fastEthernet 0/0
Site-C-router(config-if)#ip address 40.1.1.1 255.0.0.0
Site-C-router(config-if)#no shutdown
Site-C-router(config-if)#exit

Site-A-router(config)#do show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up

INTERNET(config-if)#do show ip int br
Interface                  IP-Address      OK? Method Status                Protocol

Serial4/0                  1.1.1.2         YES manual up                    up
Serial4/1                  3.3.3.1         YES manual up                    up
Serial4/2                  4.4.4.1         YES manual up                    up

Site-B-router#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            30.1.1.1        YES manual up                    up
Serial4/1                  3.3.3.2         YES manual up                    up

Site-C-router#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            40.1.1.1        YES manual up                    up
Serial4/2                  4.4.4.2         YES manual up                    up



Site-A-router(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2

INTERNET(config)#ip route 10.0.0.0 255.0.0.0 1.1.1.1
INTERNET(config)#ip route 30.0.0.0 255.0.0.0 3.3.3.2

Site-B-router(config)#ip route 0.0.0.0 0.0.0.0 3.3.3.1


Site-A-router(config)#do trace 30.1.1.1

Type escape sequence to abort.
Tracing the route to 30.1.1.1

  1 1.1.1.2 16 msec 48 msec 20 msec
  2 3.3.3.2 68 msec 60 msec 64 msec

Site-A-router(config)#interface tunnel 1234
Site-A-router(config-if)#ip address 192.168.123.1 255.255.255.0
Site-A-router(config-if)#ip mtu 1400
Site-A-router(config-if)#ip tcp adjust-mss 1360
Site-A-router(config-if)#tunnel source 1.1.1.1
Site-A-router(config-if)#tunnel destination 3.3.3.2
Site-A-router(config-if)#exit

Site-B-router(config)#interface tunnel 123
Site-B-router(config-if)#ip address 192.168.123.2 255.255.255.0
Site-B-router(config-if)#ip mtu 1400
Site-B-router(config-if)#ip tcp adjust-mss 1360
Site-B-router(config-if)#tunnel source 3.3.3.2
Site-B-router(config-if)#tunnel destination 1.1.1.1
Site-B-router(config-if)#exit

Site-A-router(config)#router eigrp 123
Site-A-router(config-router)#network 192.168.123.0
Site-A-router(config-router)#network 10.0.0.0
Site-A-router(config-router)#no auto-summary
Site-A-router(config-router)#exit

Site-B-router(config)#router eigrp 123
Site-B-router(config-router)#network 192.168.123.0
Site-B-router(config-router)#network 30.0.0.0
Site-B-router(config-router)#no auto-summary
Site-B-router(config-router)#exit


*Jan 11 12:20:47.079: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel1234) is up:new adjacency

*Jan 11 12:20:47.747: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1(Tunnel123) is up: new adjacency


Site-A-router#show ip eigrp neighbors
IP-EIGRP neighbors for process 123
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.123.2           Tu1234            11 00:01:26   66  1362  0  5

Site-B-router#show ip eigrp neighbors
IP-EIGRP neighbors for process 123
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.123.1           Tu123             11 00:01:02   67  1362  0  4





Site-B-router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is 3.3.3.1 to network 0.0.0.0
C    192.168.123.0/24 is directly connected, Tunnel123
C    3.0.0.0/8 is directly connected, Serial4/1
D    10.0.0.0/8 [90/26882560] via 192.168.123.1, 00:01:11, Tunnel123
C    30.0.0.0/8 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 3.3.3.1



Site-A-router(config)#crypto isakmp policy 123
Site-A-router(config-isakmp)#authentication pre-share
Site-A-router(config-isakmp)#hash sha
Site-A-router(config-isakmp)#group 5
Site-A-router(config-isakmp)#encryption aes
Site-A-router(config-isakmp)#exit

Site-A-router(config)#crypto isakmp key 0 internet address 3.3.3.2

Site-B-router(config)#crypto isakmp policy 123
Site-B-router(config-isakmp)#authentication pre-share
Site-B-router(config-isakmp)#hash sha
Site-B-router(config-isakmp)#group 5
Site-B-router(config-isakmp)#encryption aes
Site-B-router(config-isakmp)#exit

Site-B-router(config)#crypto isakmp key 0 internet address 1.1.1.1

Site-A-router(config)#crypto ipsec transform-set TRANS-SET esp-aes esp-sha-hmac
Site-A-router(cfg-crypto-trans)#mode ?
  transport  transport (payload encapsulation) mode
  tunnel     tunnel (datagram encapsulation) mode
Site-A-router(cfg-crypto-trans)#mode tunnel
Site-A-router(cfg-crypto-trans)#exit


Site-B-router(config)#crypto ipsec transform-set TRANS-SET esp-aes esp-sha-hmac
Site-B-router(cfg-crypto-trans)#mode tunnel
Site-B-router(cfg-crypto-trans)#exit

Site-A-router(config)#crypto ipsec profile SVTI
Site-A-router(ipsec-profile)#set transform-set TRANS-SET
Site-A-router(ipsec-profile)#exit

Site-B-router(config)#crypto ipsec profile SVTI
Site-B-router(ipsec-profile)#set transform-set TRANS-SET
Site-B-router(ipsec-profile)#exit

Site-A-router(config)#interface tunnel 1234
Site-A-router(config-if)#tunnel protection ipsec profile SVTI
Site-A-router(config-if)#tunnel mode ipsec ipv4
Site-A-router(config-if)#end

Site-B-router(config)#interface tunnel 123
Site-B-router(config-if)#tunnel protection ipsec profile SVTI
Site-B-router(config-if)#tunnel mode ipsec ipv4
Site-B-router(config-if)#exit

Site-A-router#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up
Serial4/0                        1.1.1.1         YES manual up                    up
Tunnel1234                 192.168.123.1   YES manual up                up

Site-B-router#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            30.1.1.1        YES manual up                    up
Serial4/1                        3.3.3.2         YES manual up                    up
Tunnel123                  192.168.123.2   YES manual up                 up

Site-A-router#show interfaces tunnel 1234
Tunnel1234 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.123.1/24
  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1, destination 3.3.3.2
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "SVTI")




Site-B-router#show interfaces tunnel 123
Tunnel123 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.123.2/24
  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 3.3.3.2, destination 1.1.1.1
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "SVTI")


Site-A-router#traceroute 30.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.
Tracing the route to 30.1.1.1

  1 192.168.123.2 44 msec 68 msec 60 msec



Site-A-router#show crypto ipsec sa

interface: Tunnel1234
    Crypto map tag: Tunnel1234-head-0, local addr 1.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 3.3.3.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 30, #pkts encrypt: 30, #pkts digest: 30
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     


Site-B-router#ping 10.1.1.1 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 44/62/80 ms



Site-B-router#show crypto ipsec sa

interface: Tunnel123
    Crypto map tag: Tunnel123-head-0, local addr 3.3.3.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1250, #pkts encrypt: 1250, #pkts digest: 1250
    #pkts decaps: 1251, #pkts decrypt: 1251, #pkts verify: 1251
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 0

     local crypto endpt.: 3.3.3.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1
     current outbound spi: 0x452C1DB(72532443)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x591B0BB3(1494944691)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000046, crypto map: Tunnel123-head-0
        sa timing: remaining key lifetime (k/sec): (4478462/2938)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x452C1DB(72532443)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000046, crypto map: Tunnel123-head-0
        sa timing: remaining key lifetime (k/sec): (4478462/2938)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (3.3.3.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 3.3.3.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1
     current outbound spi: 0xE345F7FE(3813013502)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9FEF2C28(2683251752)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000046, crypto map: Tunnel123-head-0
        sa timing: remaining key lifetime (k/sec): (4533007/2960)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE345F7FE(3813013502)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000046, crypto map: Tunnel123-head-0
        sa timing: remaining key lifetime (k/sec): (4533007/2960)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:


No comments:

Post a Comment